lurk in your cluster, with the supernatural powers of Chris Kranz, Sysdig | Andy Randall, Kinvolk @ckranz @sysdig @falco_org @andrew_randall @kinvolkio
all parties! IDC Tech Brief suggests security is the #1 challenge facing DevOps as you scale Kubernetes Jan 2019 Feb 2019 Apr 2019 Aug 2019 Mar 2019 Jun 2019 Oct 2019 Apr 2020 Jun 2020 Jul 2020 Jul 2020 Kubernetes dashboard vulnerability Container runtime vulnerability New vulnerabilities discovered in Envoy Severe Kubernetes HTTP/2 Vulnerability Kubernetes dashboard vulnerability kubectl cp vulnerability Kubernetes API server DoS vulnerability Vulnerability discovered in kube-proxy Kube-controller-manager vulnerable to a Server Side Request Forgery (SSRF) Vulnerability that allows man-in-the-middle (MitM) attacks kube-apiserver vulnerability that can lead to privilege escalation
past HERE LIES A. Pod “Ran as Root” Lateral movement Privilege escalation RIP M.Y. Cluster “Succumbed to a critical vulnerability” Exposed management interface @andrew_randall @kinvolkio @ckranz @sysdig @falco_org @softwarecircus (* Source: Sysdig 2019 Container Usage Report) >50% of images have critical or high sev vulnerabilities* >50% of images run as root*
run a program you are making system calls. System calls are how a program enters the kernel to perform some tasks. • Processes • Network • File I/O • … and much more... @andrew_randall @kinvolkio @ckranz @sysdig @falco_org @softwarecircus @andrew_randall @kinvolkio @ckranz @sysdig @falco_org @softwarecircus Applications Kubernetes Operating System Kernel Where the magic happens
Custom programs that run in the Linux kernel Safe virtual machine with restricted functionality (& code verification) extended Berkeley Packet Filter Hooks, functions and data structures (maps)
Purgatory (aka: kernel space) Land of the living (aka: user space) eBPF maps eBPF probe @andrew_randall @kinvolkio @ckranz @sysdig @falco_org @softwarecircus eBPF maps
brought to you by Software Circus, If you liked it... please tweet about it, visit our websites and buy our products. If you didn’t... then Frank here would like a word. and